b'March 24, 2010\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER\n\nCHARLES L. MCGANN\nMANAGER, CORPORATE INFORMATION SECURITY\n\nSUBJECT: Audit Report \xe2\x80\x93 Windows Access Controls at the Information Technology\n         and Accounting Service Centers \xe2\x80\x93 IS General Controls FY 2009\n         (Report Number IS-AR-10-006)\n\nThis report presents the results of our audit of Windows\xc2\xae access controls xxxxxxxxxx,\nxxxxxxxxxxxxxxxxxx Information Technology and Accounting Service Centers (IT/ASCs)\nand the Information Technology Service Center (ITSC) xxxxxxxxxxxx (Project Number\n09RD001IS005). Our objective was to determine whether the U.S. Postal Service\nestablished adequate logical controls to limit or detect inappropriate access to its\nWindows operating environment. We performed this self-initiated review as part of the\nfiscal year (FY) 2009 information systems audit of general controls. See Appendix A for\nadditional information about this audit.\n\nConclusion\n\nThe Postal Service established adequate logical controls to limit or detect inappropriate\naccess to its Windows operating environment xxxxxxxxxxxxxxxxxxxxxxxxxXxxxxxx\nxxxxxxxxxxxxxxxxxx. However, management can improve access controls by regularly\nmaintaining Active Directory\xc2\xae1 objects and complying with Windows security standards.\n\nActive Directory Management\n\nSystem administrators were not updating the Active Directory Organizational Units\n(OUs), groups, and accounts xxxxxxxxxxxxxxxxxxxxxxxxxxxxx as required by Windows\nsecurity standards and Postal Service policy.2 This occurred because administrators do\nnot have clearly defined responsibilities for maintaining and regularly updating Active\nDirectory objects. By properly maintaining and updating Active Directory objects,\nmanagement can reduce the risk of unauthorized access to Postal Service information\nresources, access authority exceeding job responsibilities, and operational disruptions.\nSee Appendix B for our detailed analysis of this topic.\n1\n  A hierarchical database that stores information about two broad categories of computer objects: resources (e.g.,\nprinters, workstations, and servers) and security principals (e.g., user or computer accounts and groups, such as\norganizational units). Each object has a uniquely assigned security identifier, which controls access and sets security.\n2\n  Security Standards for Windows 2003 Servers, Section 1.2, Purpose, revised March 1, 2009. Handbook AS-805,\nInformation Security, Section 9-3.2.5, Periodic Review of Access Authorization.\n\x0cWindows Access Controls at the                                                                           IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\n\n\nWe recommend the manager, Corporate Information Security, work with the manager,\nInformation Technology Engineering and Architecture, to:\n\n1. Revise the Security Standards for Windows 2003 Servers to clearly define system\n   administrator responsibilities for maintaining and regularly updating Active Directory\n   objects.\n\nSecurity Standards Compliance\n\nDomain controllers3 running on Windows operating systems did not comply with\nrequirements documented in the Postal Service Windows security standards. This\noccurred because management did not perform a comprehensive review of server\nconfigurations against the Windows security standards and properly maintain the\nsecurity standards document. By ensuring that server configuration settings comply with\nPostal Service policy,4 management can strengthen security over information resources\nto protect against accidental or intentional unauthorized use, modification, disclosure, or\ndestruction. See Appendix B for our detailed analysis of this topic.\n\nWe recommend the manager, Corporate Information Security, in coordination with the\nmanager, Information Technology Engineering and Architecture, perform:\n\n2. A review of the Security Standards for Windows 2003 and update the standards as\n   appropriate.\n\n3. A comprehensive review of the domain controller configurations to ensure\n   compliance with applicable Windows security standards.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with our recommendations. In response to recommendation 1,\nmanagement accepts the recommendation to review the Security Standards for\nWindows 2003 servers, but believes the roles and responsibilities assignment does not\nbelong in the Security Standards for Windows 2003 Server\xe2\x80\x99s documents. They believe\nthe roles and responsibilities belong in operational roles and responsibility guidelines\nbecause the system administrator\xe2\x80\x99s responsibilities are consistent across the Windows\nplatform. The targeted completion date is April 30, 2010.\nTo address recommendation 2, management will review the current hardening Security\nStandards for Windows 2003 Servers to determine if any changes are required.\nManagement is currently testing Security Standards for Windows 2008 and servers\nunder Security Standards for Windows 2003 will be migrated to that environment.\n\n\n3\n  A server that responds to security authentication requests (including logging in and checking permissions) within the\nWindows server domain. A domain controller physically stores Active Directory information. Large domains require\nmore than one domain controller, where each holds a copy of Active Directory. Active Directory synchronizes any\ncomputer changes between all domain controllers, called \xe2\x80\x9cmulti-master replication\xe2\x80\x9d.\n4\n  Security Standards for Windows 2003 Servers, Section 3.10, Operating System Security Settings.\n\n\n                                                          2\n\x0cWindows Access Controls at the                                               IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\nSubsequent discussions with management revealed that the target date for completion\nof the Security Standards for Windows 2008 is September 30, 2010.\n\nIn response to recommendation 3, management will review the domain controller\nconfigurations to ensure compliance with applicable Windows security standards for\ndomain controller. The targeted completion date is April 30, 2010. See Appendix C for\nmanagement\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service, Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations, and their corrective actions should\nresolve the issues identified in the report.\n\nThe OIG considers recommendation 3 significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. This recommendation should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendation can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at (703) 248-2100.\n\n\n    E-Signed by Darrell E. Benjamin, Jr\n    VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Deborah J. Judy\n    Gregory \xe2\x80\x9cDean\xe2\x80\x9d Larrabee\n    Cliff M. Biram\n    Sally K. Haring\n\n\n\n\n                                                  3\n\x0cWindows Access Controls at the                                                                    IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\n\n\n                          APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nLogical access controls include the use of computer hardware and software to prevent\nor detect unauthorized access. For example, a system or information resource may\nrequire users to authenticate with a logon identification, user name, password, or other\nidentifier that conforms to the concepts of least privilege and need-to-know. Inadequate\naccess controls diminish the reliability of computerized data and increase the risk of\ndestruction or inappropriate disclosure of data.\n\nThe xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is the enterprise\ndirectory for the Postal Service. It is the authoritative source for all centrally supported\nand managed Windows-based systems. The Postal Services bases access to all\ninfrastructure platforms, remote access methods, and national applications on user and\nmachine credentials in the xxx Active Directory. Microsoft Windows Active Directory5\nenables single-point administration to organize, manage, authenticate, and control\ninformation within the Windows environment. Information Technology Engineering and\nArchitecture staff located at the xxxxxxxxxxxx supports the Active Directory.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine whether the Postal Service established\nadequate logical controls to limit or detect inappropriate access to its Windows\noperating environment.\n\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxx.\n\nTo accomplish the objective, we reviewed Postal Service documentation and available\npolicies and procedures, interviewed key officials, and examined other material deemed\nnecessary to accomplish our objective. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6\n\n\n5\n  The latest version of Microsoft Windows Server 2008 R2 renamed Active Directory to Active Directory Domain\nServices.\n6\n  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n                                                       4\n\x0cWindows Access Controls at the                                                       IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\nWe conducted this performance audit from June 2009 through March 2010 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We discussed our observations\nand conclusions with management on February 22, 2010, and included their comments\nwhere appropriate. We used manual and automated techniques to analyze the data\nobtained from the domain controllers. Based on the results of these tests and\nassessments, we concluded the data were sufficient and reliable to use in meeting the\nobjective.\n\nPRIOR AUDIT COVERAGE\n\n                            Report          Final Report\n    Report Title            Number              Date                Report Results\nAccess Controls xxxx      IS-AR-08-015         8/15/2008   We reviewed the following two\nXxxxxxxxxxxxxxxxxxx                                        applications operating in a Windows\nXxxxxxxxxxxxxxxxxxx                                        environment: xxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxxx                                        Xxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxx                                         xxxxxxxxxxxxxxxxxxxxxxxxxx. Our\nXxxxxxxxxxxxxxxxxxx                                        review verified that management\nXxxxxxxxxxxxxxxxxx                                         implemented proper access controls,\nxxxx                                                       providing reasonable assurance that\n                                                           data files and application programs\n                                                           are protected against unauthorized\n                                                           modification, disclosure, loss or\n                                                           impairment. We found no issues\n                                                           associated with the applications\n                                                           reviewed.\nSystem Software           IS-AR-08-011          6/3/2008   We reviewed three application servers\nControls xxxxxxxxxx,                                       covering xxxxxxxxx in the Windows\nxxxxxxxxxxxxxxx                                            environment. Our review verified that\nxxxxxxxxxxxxxxxx                                           management implemented proper\nxxxxxxxxxxxxxxxxxx                                         access controls, procedures for\nxxxxxxxxxxxxxxxxx                                          monitoring software infrastructure, and\nxxxxxxxxxxxxxxx                                            controls for change and configuration\n                                                           management. We found no issues\n                                                           associated with the specific\n                                                           applications reviewed.\n\n\n\n\n                                                  5\n\x0cWindows Access Controls at the                                                                     IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\n\n                              Report             Final Report\n    Report Title              Number                 Date                        Report Results\nInformation Systems         IS-AR-08-002            11/6/2007          We evaluated Active Directory security\nAccess Controls at                                                     settings and found Windows default\nSelected Information                                                   password settings did not comply with\nTechnology Facilities                                                  Postal Service Policy.7 Management\nfor Fiscal Year 2007                                                   agreed and implemented the\n                                                                       recommendation to change the default\n                                                                       password settings according to policy\n                                                                       requirements.\nSystem Software             IS-AR-07-013            8/3/2007           We reviewed Windows systems\nControls xxxxxxxxxx,                                                   controls over auditing, domain\nxxxxxxxxxxxxxxxxx                                                      controllers, and global settings. We\nXxxxxxxxxxxxxx                                                         verified that management\nXxxxxxxxxxxxxxxxxx                                                     appropriately configured the Windows\nXxxxxxxxxxxxxxxxxx                                                     operating system at the domain level\nXxxxxxxxxxxxxxxxxxxx                                                   and that the domain global settings\nxxxx                                                                   record all accesses to system files.\n                                                                       We verified that management used\n                                                                       system utilities such as Active\n                                                                       Directory, BMC Patrol, Microsoft\n                                                                       Operations Manager, Systems\n                                                                       Management Server 2003, and\n                                                                       Symantec Anti-Virus8 to enhance\n                                                                       security. We did not make any\n                                                                       recommendations in this report.\nInformation System          IS-AR-06-018            9/27/2006          We found Windows access controls\nAccess Controls xxxx                                                   were adequate to protect computer\nEagan, nesota and San                                                  and information resources at the data\nMateo, California, Info                                                centers against unauthorized\nmation Technology and                                                  modification, loss, and disclosure. We\nAccountixxxxxxxice                                                     found no issues associated with the\nCnters                                                                 specific applications.\n\n\n\n\n7\n Handbook AS-805\n8\n BMC Patrol monitors the performance and availability of servers, applications, and storage and network devices.\nMicrosoft Operations Manager is a performance and event-monitoring product from Microsoft targeting Windows\nsystems. Systems Management Server 2003 validates software loaded on workstations and servers. Symantec Anti-\nVirus detects and prevents virus attacks.\n\n\n                                                       6\n\x0cWindows Access Controls at the                                                                     IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\n                               APPENDIX B: DETAILED ANALYSIS\n\nActive Directory Management\n\nSystem administrators were not updating the Active Directory OUs, groups, and\naccounts xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. For example, administrators did not:\n\n     \xef\x82\xa7   Group distribution lists for xxxxxxxxxxxxxxxxxx with the distribution lists for the\n         xxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n     \xef\x82\xa7   Remove an xxx backup account assigned to a terminated employee.\n\n     \xef\x82\xa7   Remove unused Active Directory objects such as test accounts and a printer OU.\n\n     \xef\x82\xa7   Delete unused OUs, xxxxxxxxxxxxxxxxxx.\n\n     \xef\x82\xa7   Move an Active Directory group from an incorrect OU to the correct OU.\n\nThis occurred because administrators do not have clearly defined responsibilities for\nmaintaining and updating Active Directory objects regularly. Postal Service policies\nrequire the periodic review and update of accounts to restrict access according to the\nleast-privilege and need-to-know principles.9\n\nBy properly maintaining Active Directory objects, management can reduce the risk of\nunauthorized access to Postal Service information resources, access authority that\nexceeds job responsibilities, and operational disruptions.\n\nPrompted by our review, management began corrective action to update and remove\nobsolete objects. Additionally, an initiative within eAccess10 has a new automated\nfeature that will facilitate the reconciliation on certain types of accounts to enhance\nsecurity over Active Directory.\n\nSecurity Standards Compliance\n\nDomain controllers running on the Windows operating systems did not comply with the\nrequirements documented in the latest Postal Service Windows security standards.\nThese standards contain approximately 150 required security settings. On the three\nservers reviewed, we found 32 of the 150 settings \xe2\x80\x93 xxxxxxxxxxxxxxxxxxxxxxxxxxx\xe2\x80\x93\nthat did not comply with the Windows security standards. This occurred because\nmanagement was not performing a comprehensive review of server configurations\nagainst the Windows security standards and maintaining the security standards\ndocument. Management periodically runs a script to review server configurations. The\nscript retrieves the results of approximately 80 security settings that address Sarbanes-\n\n9\n Security Standards for Windows 2003 Servers, Section 1.2 and Handbook AS-805, Section 9-3.2.5.\n10\n  eAccess provides automated access management capabilities to Postal Service information resources, including\nxxx accounts, applications, and databases.\n\n\n                                                       7\n\x0cWindows Access Controls at the                                                                       IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\nOxley requirements. Postal Service policy11 requires management to adhere to the\nsecurity standards and review operating system configurations periodically.\nManagement can strengthen security over information resources to protect against\naccidental or intentional unauthorized use, modification, disclosure, or destruction by\nensuring server configuration settings comply with Postal Service policy.12\n\n\n\n\n11\n     Handbook AS-805, Section 8-5.4.2, Harden Information Resources; Section 10-2.3.1, Hardening Servers.\n12\n     Security Standards for Windows 2003 Servers, Section 3.10, Operating System Security Settings.\n\n\n                                                         8\n\x0cWindows Access Controls at the                             IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\n\n\n                       APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                  9\n\x0cWindows Access Controls at the                             IS-AR-10-006\n Information Technology and Accounting Service Centers \xe2\x80\x93\n IS General Controls FY 2009\n\n\n\n\n                                                  10\n\x0c'